macOS TouchID, how to force immediate password check
How to quickly and selectively disable MacOS TouchID and Apple Watch unlocking at the lockscreen and enforce a password check.
If you are in a trusted area, you may want to use the comfort of modern technology. But there certainly are some times and places, in which you would like to disable all those things. There has been some discussion on StackExchange on how to realize this, but they have not come to a full practical conclusion.
So I gave it a try.
Built in management
macOS/OSX provides a command line tool bioutil to change the settings of the biometric identification types on the macOS platform:
% bioutil
You must select whether to read or write Touch ID configuration or perform a Touch ID operation (--count, --purge, --delete).
Usage:
bioutil {-r | -w [-f { 0 | 1 }] [-u { 0 | 1 }] [-a { 0 | 1 }] [-o <seconds>]} | [-c] | [-p] | [-d <uid>] [-s]
Options:
-r, --read Read current Touch ID settings
-w, --write Write new Touch ID settings
-s, --system Flag to read/write systemwide Touch ID settings or perform systemwide operations
-f, --function Enable (1) or disable (0) Touch ID functionality in general (system settings only)
-u, --unlock $value Enable (1) or disable (0) Touch ID for unlock
-a, --applepay $value Enable (1) or disable (0) Touch ID for ApplePay (user settings only)
-o, --timeout $value Set Touch ID timeout (in seconds, system settings only)
-c, --count Print number of enrolled fingerprints of the current user or of all users (-s, administrator only)
-p, --purge Delete all enrolled fingerprints of the current user or of all users (-s, administrator only)
-d, --delete $uid Delete all enrolled fingerprints of the given user (administrator only)
But when executed, the command requires the user password to set or disable the biometric functions for obvious reasons.
% bioutil -w -u 0
Current user's password:
So if we want to use it in a way to use it in scripts or call it without access to stdin, this is far from practical.
Let’s think about the worst case of what could happen, if we will allow the usage without a password:
- TouchID fingerprints can be wiped. - Ok we still know our password.
- TouchID can be disabled without password. - Well actually nice in our case.
So no new fingerprints can be allowed, only disabled or deleted. Fair enough.
Be aware of function creep. Some day there might be new functionality added, which might allow more things to be changed!
Allowing it to run without a password
Create a /etc/sudoers.d/bioutil directive to load for sudo:
% sudo visudo /etc/sudoers.d/bioutil
This directive allows admins (wheel), you can also specify a single user, to execute the bioutil command without entering a password:
%admin ALL = NOPASSWD: /usr/bin/bioutil
Putting it all together
Now that we can run it without password, let’s create an alias to disable/expire TouchID and Apple Watch unlock, sleep the display (screen lock has to be enabled in settings ofc) and restore state:
alias lockscreen="\
sudo bioutil -w -s -o 1; \
pmset displaysleepnow; \
sleep 2; \
sudo bioutil -w -s -o 1800; \
"
Why are we using -s, the system wide directive and not -w -u 0 and -w -u 1? Because the user flag still asks for the user password. If we use this method, to set the timeout, the TouchID expires after 1 second and is later reset to a more reasonable value of 0.5 hours instead of the default 48 hours. Adjust to your liking.
The added sleep, ensures the timeout is reached. In my tests, it worked without, but just for good measure.
